What happens when you've forgotten the password that unlocks every byte of data you have stored?

That was the scenario faced recently by Web application security expert Jeremiah Grossman, CTO of WhiteHat Security, who woke up one morning and -- after many failed password attempts -- realized that he'd changed his password but forgotten what he'd changed it to.

As a result, he was unable to access the many different Mac OS X Disk Image (.dmg) files he uses to store his work, which he created with Apple FileVault using double the default level of encryption: AES-256.

"A great thing about DMGs is that they can be stored anywhere -- hidden in some obscure directory on the local machine, a network storage device, a USB drive, whatever. All my confidential files are typically stored this way, in a series of encrypted DMGs with separate passwords," said Grossman in a blog post.

Needless to say, he also uses strong passwords to make it difficult, if not impossible, to crack any of the AES-256-encrypted DMG archives via a brute-force attack. Grossman also mounts the DMGs only when they're needed, both to make the files harder to find should someone obtain his password, and to make the data much more difficult for any hackers who remotely compromise his system. Likewise, Grossman didn't store his password in the OS X Keychain. Nor did he write it down and store it in a safe or other hiding place.

Thanks to those steps, he said, "Should my computer get 'hacked,' a remote attacker will find it extremely difficult to transfer out many gigabytes worth of data as a single DMG file before being noticed, the computer loses its connection to the Internet, or the image is unmounted."

The only flaw in that plan: what if you forget your password?

After a week of trying and failing to enter the correct password, Grossman issued a plea via Twitter, which was answered by four developers: Solar Designer, gat3way, Dhiru Kholia and Magnum. They collectively created the John the Ripper (JtR) password cracker along with Jeremi Gosney of Stricture Consulting Group, which maintains a powerful GPU cluster for rapidly cracking passwords. "Collectively, these guys are the amongst the world's foremost experts in password cracking. If they can't help, no one can," said Grossman.

But Grossman couldn't simply email the password-cracking experts a multi-gigabyte DMG file, not least because of the threat of exposing intellectual property. Thankfully, a tool called dmg2john scrapes the DMG and provides output that can be cracked with JtR by others without putting the data at risk, so Grossman was able to send only the encrypted data pertaining to his password.

Then came the bad news: Thanks to AES-256, despite the use of a powerful GPU-based cluster, only about 104 hashes per second total -- 104 blind guesses per second -- could be made against 41 billion password possibilities. Fortunately for Grossman, he did remember part of his password. "Understanding this, Jeremi begins asking for more information about what the extra six or so characters in my password might have been," Grossman said. "We're (sic) they all upper- and lower-case characters? What about digits? Any special characters? Which characters were most likely used or not used? Every bit of intel helped a lot."

Ultimately, the details that Grossman remembered reduced the password combination possibilities down to just 22,472. "This meant the total amount of time required to crack the DMG was reduced to 3.5 minutes on his rig," he said. "Subsequently, Jeremi sent me what had to be one the most relieving and frightening emails I've ever received in my life. Relieving because I recognized the password immediately upon sight. I knew it was right, but my anxiety level remained at 10 until typing it in and seeing it work."

The moral of the story: No matter how secure your system might be, never discount the human element, even if that human is an information security specialist. In addition, always back up your passwords. "Clearly I need paper backup, and [I'm] thinking maybe about giving it to my attorney for safekeeping where it'll enjoy legal privilege protection," said Grossman.

Rick Falkvinge, the founder of the Swedish Pirate Party and a campaigner for sensible information policy, will present the keynote address at Black Hat Europe 2013. Black Hat Europe will take place March 12-15 at The Grand Hotel Krasnapolsky in Amsterdam.

Welcome to
TechWeb, the IT professional's online resource for news coverage of the
information technology industry. We know technology news. Our mobile
and wireless news coverage moves as fast as wireless technology itself.
We follow all the devices you depend on to stay connected. Our software
coverage follows the multi-faceted software industry from every angle.
We've got a lock on network security and computer security issues.
We're all over the business of the Web--the Internet business--and the
engines that run it. We have our eyes and ears tuned to the players who
make and run the tools that tie us all together--Google, Microsoft,
eBay, Cisco, Yahoo, Oracle, Apple, Sony--and scores of others. And we
keep close tabs on the backbone of information technology, PC hardware.
We know PCs and Apple computers inside and out. We cover computer
technology, computer news, software news, search engine news, business
software, operating systems, and software development. Our coverage of
tech news includes a strong focus on the security business, its
attendant spyware and viruses, how security relates to wireless
technology and business networking and the security issues surrounding
RFID technology. We closely follow developments in Internet news and
Internet technology, including the spread of broadband and its effect
on Web browsers and the Web business. We watch the VoIP business, and
how VoIP technology is affecting the state of telephony in the
enterprise. And if all that isn't enough, we also track developments in
the IT industry that affect IT jobs, IT careers, and outsourcing.